Tanzania Cybercrime Bill Should Safeguard Citizens’ Rights on the Internet

Tanzania has published a Cybercrime Bill that makes “provisions for criminalizing offences related to computer systems and Information Communication Technologies” and provides for investigation, collection, and use of electronic evidence.

However, the release of the Cybercrime Bill has been met with apprehension by the public due to its overt disregard for press freedom and freedom of expression, the excessive powers granted to police, and the limited protections afforded to ordinary citizens.

On social media, critics have suggested that the timing and content of the Bill were intended to control the media and bloggers ahead of the October 2015 elections. According to the 2014 State of Internet Freedom in Tanzania report, the process of making Cybercrime laws began in 2013 with proposals for the development of the Cyber security Act, Data Protection Act and the Electronic Transacting Act by the end of 2014.

Some of the problematic clauses in the Bill that affect freedom of expression and privacy include Sections 7, 8, 14, 16, 31, 32, 34, 35, 37, 41 and 45.

Section 7 (2) criminalises citizens who receive unauthorized computer data. There should be consideration of content received with intent and without.

Section 8 and 16 provide vague descriptions of phrases including “unauthorized data” and “false information.” In Section 8, one can be charged with data espionage for obtaining “computer data protected against unauthorized access without permission.” The parameters that define unauthorized data need to be indicated as this could have an impact upon investigative journalists and confidentiality of their sources.

In Section 16, on the Publication of false information, the terms “deceptive, misleading and inaccurate information” are subjective and open to abuse by implementers of the law. A clear definition of what constitutes these terms needs to be stipulated in the bill. Moreover, there should be consideration of the intent of those who publish such information, failing which the law would ultimately stifle freedom of expression, including of creative expression.

Also the lack of definition for ‘unauthorised data’ in Section 7 (2b) and “unsolicited messages” in Section 30 makes the bill open to misinterpretation and abuse by state authorities.

On the issue of pornography, the Bill should not proscribe the offence of pornography in general, particularly where not shared in public and where all parties that access it are adults. As is currently framed, Section 14 can be used to abuse individuals’ right to privacy. Besides, a clear definition of pornography which is “lascivious” or “obscene” should be added to the Bill.

Sections 31, 32, 33, 34 and 35 of the bill provide excessive powers to the police for search and seizure of computer systems; and disclosure of data. These sections should provide clear guidelines, safeguards and oversight, including the requirement for a warrant issued by a competent court of law before any search and seize or disclosure of data is to be undertaken.

For section 31, owners of the property or other independent parties should also be witness to such activity by the police for the safety of the equipment and data seized to be guaranteed.

According to Section 32 (1), “where disclosure of data is required for purposes of criminal investigation or the prosecution of an offence, a police officer in charge of a police station or a law enforcement officer of a similar rank may issue an order to anyperson in possession of such data compelling him todisclose such data.” This section needs to be adjusted to include police officers first obtaining a court order before compelling any person to disclose data.

On the disclosure of data in Clause 32 (3) b, there should be a clear indication as to the kind and extent of information a service provider can provide. Service providers should be required to report subscriber information requests in the public domain on a regular basis.

Further, there needs to indicate means of storage, retention period and methods of disposal for data collected or recorded through technical means as provided under Section 35 (b).

In regard to Section 37 (9), where service providers are required to support the installation of forensic tools, for purposes of transparency they should be compelled to provide reports of such requests made to them.

Section 41 provides for that a hosting provider is not liable for information stored at the request of a user of the service, however following orders from any “competent authority” or court, the provider has to take down offending information. The Bill should name the authority or authorities who can issue an order to a hosting provider. The Bill should also indicate what the course of action in the event that a hosting provider does not comply with the order or where the owner of the information wants to contest the take-down order issued by the competent authority.

In regard to “Take down notifications” as provided in Section 45, service providers should notify the persons upon whom a complaint has been lodged, including the reason for the take down.

Also a section compelling service providers to periodically release takedown requests and actions taken to the public should be included.

There is no indication on the rights the users have of their data nor how it is protected once in the hands of the state, thus further putting citizens’ data at risk especially in the absence of a data privacy and protection law.

The Bill was this week tabled in Parliament by Communication, Science and Technology Minister Professor Makame Mbarawa. However, in their discussions Members of Parliament should consider the amendments proposed by civil society so that the country gets a progressive law that strongly supports freedom of expression and the right to privacy.